Skillv1.0.0

ClawScan security

Global Economy Daily · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 14, 2026, 3:22 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's goal (generate and push a daily economic report) is plausible, but there are multiple mismatches between the README instructions and the code (push functionality is not implemented, config is unused, and a hardcoded QQ target is present), so it looks sloppy or incomplete and requires further verification before use.
Guidance: Key things to consider before installing or running this skill: - The code generates a report but does NOT actually send it; the message-sending call is commented out. If you expect automated pushes, ask the author or inspect/implement a safe message-sending path before enabling scheduling. - The instructions tell you to edit scripts/config.py, but the main script doesn't import that file — confirm and fix this mismatch so you control the target and behavior. - A QQ target identifier is hardcoded. Remove or replace it with your own target and ensure any push code requires explicit credentials (and doesn't leak data to unknown recipients). - No credentials are requested; if you wire up push functionality you will need to supply auth tokens — prefer storing these in secure environment variables or platform secrets, not in plaintext config files. - The SKILL.md references a templates/ file that is not present; verify completeness with the author. - Run the script locally first (it currently only prints the report) and review network calls (only Yahoo Finance is used) before enabling any scheduled task. If you want help patching the code to use the config file and to require explicit, securely stored credentials for QQ/Feishu, ask for a code review or a safe implementation guide.

Review Dimensions

Purpose & Capability: concernThe declared purpose is to generate AND send reports to QQ/Feishu. The repository contains a report generator, but there is no working push implementation: the main script prints the report and has a commented TODO for sending (message call is commented out). The SKILL.md and scripts/config.py tell the user to configure push channels/targets, yet global_economy_daily.py defines its own CHANNEL/TARGET and does not import scripts/config.py — a clear mismatch. The template file referenced in SKILL.md (templates/report_template.md) is also absent from the manifest.
Instruction Scope: concernRuntime instructions ask the user to edit scripts/config.py and to install a macOS LaunchAgent to schedule pushes; however the executable script ignores that config file, so following the instructions will not produce the intended push behavior. The code only performs network requests to Yahoo Finance to fetch market data (expected). There is no instruction or code that reads unrelated system files or environment secrets.
Install Mechanism: okNo install spec or external downloads are present; this is instruction/code-only and uses only Python standard library (urllib). That minimizes supply-chain risk — nothing is auto-downloaded or executed outside the repository.
Credentials: concernThe skill declares no required environment variables or credentials, but to actually send messages to QQ or Feishu it would need authentication (not declared). Additionally, a QQ target identifier (QQ_TARGET / TARGET) is hardcoded in scripts/config.py and in the main script — this is a privacy/operational concern because a default recipient is baked into the code. The fact that credentials are neither requested nor used is inconsistent with the stated push functionality.
Persistence & Privilege: okThe skill does not request persistent system privileges and is not set to always:true. SKILL.md suggests creating a user LaunchAgent to schedule the script — that is a user action (normal). The skill does not attempt to modify other skills or system-wide settings on its own.